True to one of our predictions for the year, 2011
has been dubbed the “Year of Data Breaches,”
as we witnessed organizations worldwide
succumb to targeted breach attacks and lose
what we have come to know as the new digital
currency—data. As individuals and organizations
alike embark on the cloud journey, we at Trend
Micro, along with our fellow cybercrimefighters
in law enforcement and the security industry, will
continue to serve our customers by providing
data protection from, in, and for the cloud.

Proven 2011 Trend Micro Predictions
2011 has been dubbed the â&#x20AC;&#x153;Year of Data Breaches,â&#x20AC;?
marring organizations worldwide via huge information
and financial losses.........................................................................................................4
2011 saw the mobile threat landscape mature, as
evidenced by the staggering spike in the mobile malware
volume................................................................................................................................ 6
2011 was a good year for social media spammers and
scammers but not such a good one for site
administrators and regulators......................................................................................8
2011 continued to be a bad one in terms of exploits
despite the decline in the number of publicly reported
vulnerabilities..................................................................................................................10
2011 continued to be plagued by attacks that made use of
traditional vectors, which refused to quietly fade into the
background......................................................................................................................12
2011 witnessed the emergence of new threat actors with
politically charged agendas.........................................................................................16

Trend Micro Security Wins
2011 marked significant wins for Trend Micro, along with
its industry partners and law enforcement authorities, in
the fight against cybercrime........................................................................................18

2011 was a particularly challenging year for
the security industry, as several organizations
succumbed to targeted data breach attacks
that soiled their reputations via the loss of
confidential information and caused them to
spend huge sums of money on fixing the damage
done. Two of the biggest targets—RSA1 and Sony
PlayStation2—were left with no other choice
but to publicly disclose facts about the attacks
against their infrastructure so their customers
could ensure proper mitigation.
1 http://www.rsa.com/node.aspx?id=3872
2 http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failureyour-personal-data-has-been-stolen.ars

• RSA released best practices for victims and
replaced tokens belonging to defense industry
customers as remediation3
• Information stolen from RSA’s systems was used
in a broader attack on client, Lockheed Martin—
the biggest IT provider to the U.S. government4
3 http://www.rsa.com/node.aspx?id=3891
4 http://uk.reuters.com/article/2011/05/26/us-lockheed-networkidUKTRE74P7U320110526

Mobile malware seemingly took the world
by storm, catching users unaware with the
whopping increase in the Android malware
volume alone.8 Mobile malware invaded device
users’ privacy by stealing personal and other
kinds of confidential information. RuFraud9
and DroidDreamLight10—just two of the most
notorious Android malware variants—took much
of the spotlight, causing millions of users a lot of
grief from losing data and, at times, money.
8 http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/
9 http://blog.trendmicro.com/2011-in-review-mobile-malware/
10 http://blog.trendmicro.com/massive-code-change-for-new-droiddreamlightvariant/

2011 saw the mobile threat landscape
mature, as evidenced by the staggering
spike in the mobile malware volume.
2011 PREDICTION

We will see more mobile device attacks.

DROIDDREAMLIGHT VARIANTS
• Mostly found in China-based third-party app
stores though some variants also plagued the
Android Market
• Come in the guise of battery-monitoring, tasklisting, installed app-identifying tools, among
others
• Steals all sorts of device and personal information
that is sent to a remote URL
• Secretly sends messages to affected users’
contacts
• Checks if infected devices have been rooted and
if so installs and uninstalls certain packages

51.9M

number of Android-based
devices12

number of active Facebook
users who access the site via
mobile devices

number of mobile operators
worldwide that deploy and
promote Facebook’s mobile
products13

RUFRAUD VARIANTS
• Found in the Android Market
• Categorized as “premium-service abusers”
• Were taken off by Google from the Android
Market soon after their discovery
• May have been downloaded by some users
before being taken off Google’s official app store,
as these proliferated in time for the Android

“If current trends hold, we may
be able to see more than
120,000 malicious Android apps
by the end of 2012.”14
—Menard Oseña,
Trend Micro Solutions
Product Manager
14 http://blog.trendmicro.com/how-big-will-the-android-malware-threat-be-in-2012/

Survey scams and all kinds of spam leveraging
every trending topic imaginable littered social
networking sites throughout 2011. Armed
with improved social engineering and hacking
tactics and tools, spammers and scammers
alike continued to wreak havoc among social
networkers worldwide, all after the so-called
“new currency”—data.16 In light of the situation,
regulators have started demanding that social
networking sites implement policies and
mechanisms to protect the privacy of their
users.17
16 http://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=
Spam%2c+Scams+and+Other+Social+Media+Threats
17 http://dataprotection.ie/viewdoc.asp?DocID=1175&m=f

2011 was a good year for social media
spammers and scammers but not such a good
one for site administrators and regulators.
2011 PREDICTION

We will see more clever malware campaigning.

SOCIAL MEDIA SPAM

SURVEY SCAMS

• Use practically every trending topic possible such
as Lady Gaga’s supposed death to lure victims
• Drop big media companies’ names such as
the British Broadcasting Corporation (BBC) as
senders
• Make use of links to phishing pages and fake sites
that serve as malware hosts or site redirectors
• Spread via automatic reposting on victims’ Walls
or retweets18
• Take advantage of even the most unfortunate
event such as Hurricane Irene to gain as many
victims as possible, most likely for financial gain19
• Ride on popular gadget or application releases to
get user clicks20
18 http://blog.trendmicro.com/facebook-scam-leverages-lady-gagas-deathbypasses-https/
19 http://blog.trendmicro.com/hurricane-irene-scam-hits-facebook/
20 http://blog.trendmicro.com/seasons-warnings-iphone-4s-scam-and-otherholiday-threats/

• Use newsworthy events and tempting offers
such as premiere movie tickets to trick users into
clicking links to survey pages21
• Victims of which end up with stolen personal data
or, worse, thinner wallets22
21 http://blog.trendmicro.com/free-breaking-dawn-part-2-tickets-scam-spreads-infacebook/
22 http://blog.trendmicro.com/survey-scams-as-cross-platform-threats/

“With or without Facebook,
unenlightened users will make
a mistake and divulge private
information no matter what
social network you drop them
in to.”

TOP 3 PUBLICLY AVAILABLE
INFORMATION ON SOCIAL MEDIA

Email
addresses

Hometown

—Jamz Yaneza,
Trend Micro Threat
Research Manager

3 MOST COMMON FACEBOOK
ATTACK TYPES

High school

Likejacking
attacks

TOP 3 SOCIAL MEDIA SECURITY RISKS

Malware
infection

Data leakage

Unwilling
attack
participation

Rogue
application
propagation
attacks

Spam
campaigns

Even though the number of publicly reported
vulnerabilities decreased from 4,651 in 2010
to 4,155 in 2011,23 exploit attacks improved in
terms of both complexity and sophistication. The
exploit attacks we saw in 2011 were targeted,
original, and well controlled, the most notable of
which set their sights on CVE-2011-3402, CVE2011-3544, and CVE-2011-3414,24 along with a
couple of Adobe product zero-day vulnerabilities
that were exploited in the wild.25
23 http://cvedetails.com/browse-by-date.php
24 http://blog.trendmicro.com/microsoft-releases-out-of-band-update-before-yearends/
25 http://blog.trendmicro.com/2011-in-review-exploits-and-vulnerabilities/

2011 continued to be a bad one in terms of
exploits despite the decline in the number
of publicly reported vulnerabilities.
2011 PREDICTION

We will see the use of vulnerabilities and exploits evolve.

CVE-2011-3402

CVE-2011-3414

• A vulnerability in a Microsoft Windows component
that may allow an attacker to execute code on
vulnerable systems

• A vulnerability that may lead to elevation
of privilege if a potential attacker sends a
maliciously crafted web request to a target

• Exploited by DUQU malware26

• Can lead to the execution of arbitrary commands
via existing accounts on the ASP.NET site

• The vulnerability that Microsoft released an outof-band patch for before 2011 ended28
28 http://about-threats.trendmicro.com/vulnerability.aspx?language=us&nam
e=Vulnerabilities%20in%20.NET%20Framework%20Could%20Allow%20
Elevation%20of%20Privilege%20(2638420)

“The trends that we saw in 2011
are going to continue in 2012. We
will just see attacks become more
complicated.”34
—Pawan Kinger,
Trend Micro Vulnerability
Research Manager
34 http://blog.trendmicro.com/2011-in-review-exploits-and-vulnerabilities/

Malware, spam, and malicious links continued
to cause users grief, wreaking havoc in
innumerable ways. Malware such as SpyEye,35
KOOBFACE,36 FAKEAV,37 and other variants
underwent further enhancements in order to
spread more malice while evading detection.
Spam sporting malicious links, meanwhile, have
become multiplatform threats, invading not just
usersâ&#x20AC;&#x2122; systems but also their mobile devices.38
Malicious links leading to all kinds of web threats
continued to riddle direct messages and posts in
various social networking sites. Whether utilized
as separate infection tools or combined to form
more powerful multipronged threats, malware,
spam, and malicious links lived on as part of
the threat landscapeâ&#x20AC;&#x2122;s white noise, allowing
cybercriminals to profit from selling stolen data.
35 http://us.trendmicro.com/imperia/md/content/us/trendwatch/
researchandanalysis/from_russia_to_hollywood-turning_the_tables_on_a_
spyeye_cybercrime_ring.pdf
36 http://us.trendmicro.com/imperia/md/content/us/trendwatch/
researchandanalysis/more_traffic__more_money-koobface_draws_more_blood.
pdf
37 http://us.trendmicro.com/imperia/md/content/us/trendwatch/
researchandanalysis/targeting_the_source-fakeav_affiliate_networks.pdf
38 http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/spam_trends_
in_today_s_business_world.pdf

2011 continued to be plagued by attacks
that made use of traditional vectors, which
refused to quietly fade into the background.
2011 PREDICTION

We will see old malware reinfections and consolidation in the cybercriminal
underground.

“3.5 new threats are created
every second. As more and more
businesses and home users take
the inevitable journey to the
cloud, risks of data and financial
loss are greater than ever.”40
—Trend Micro
40 http://blog.trendmicro.com/threat-morphosis/

Hacktivist groups such as Anonymous, under
the Operation AntiSec banner, and LulzSec, as
in years past, continued to cast their nasty nets
over Internet users. Disgruntled with various
political issues, members of hacktivist groups
worldwide launched a plethora of attacks against
carefully chosen targets. In 2011, hacktivists
who used to focus on launching distributed
denial-of-service (DDoS) attacks instead trailed
their targets on stealing data. Despite news of
LulzSecâ&#x20AC;&#x2122;s disbandment, attacks continued to
ensue, partly owing to the decentralized nature
of hactivist groups.42
42 http://blog.trendmicro.com/lulzsec-disbands-now-what/

2011 witnessed the emergence of new threat
actors with politically charged agendas.

STRATFOR HACKTIVIST ATTACK
• Some of the organization’s members’ personally
identifiable information (PII), including credit card
data, was publicly disclosed on December 24, 2011
• A list of the organization’s members, classified as
“private clients,” was also released to the public43
• Anonymous, which was believed to have been
behind the attack, denied its involvement44
• LulzSec’s supposed leader, Sabu, claimed to have
been responsible for the attack45
43 https://www.facebook.com/stratfor/posts/10150456418503429
44 http://pastebin.com/8yrwyNkt
45 https://twitter.com/#!/anonymouSabu/status/151141501492137986

PII STOLEN DURING THE STRATFOR
HACKTIVIST ATTACK

unique credit card
numbers, ~36,000 of
which had yet to expire

unique email addresses

68,063

859,311
50,569

“We don’t believe that the
people behind LulzSec have
stopped their activities. Instead,
they disbanded due to the
attention they were getting from
law enforcement and other
hackers less approving of their
activities.”46
—Kevin Stevens,
Trend Micro Senior
Threat Researcher
46 http://blog.trendmicro.com/lulzsec-disbands-now-what/

Despite being another challenging year,
2011 also proved to be a successful one for
both the security industry and its fellow
cybercrimefighters. Before 2011 drew to a close,
we saw various cybercriminal operations close
down as well. Trend Micro, for its part, fought
side by side with its industry partners and law
enforcement agencies worldwide in bringing
down what has been dubbed the â&#x20AC;&#x153;Biggest
Cybercriminal Takedown in History.â&#x20AC;?49
49 http://blog.trendmicro.com/esthost-taken-down-biggest-cybercriminaltakedown-in-history/

2011 marked significant wins for Trend
Micro, along with its industry partners
and law enforcement authorities, in
the fight against cybercrime.

RUSTOCK BOTNET TAKEDOWN
• The Rustock botnet was taken down by Microsoft
on March 16, 2011
• TrendLabs data showed a >95% decrease in
Rustock spam on March 16, at around the same
time the botnet was taken down50
• Microsoft published ads in Russian newspapers

that offered a US$250,000 reward to anyone who
gave information that led to the identification,
arrest, and conviction of the Rustock gang
members

• Microsoft’s lawyers used novel legal arguments
to convince a federal court in Seattle that it had
the right to seize Rustock’s servers, which set an
important legal precedent for future cases
50 http://blog.trendmicro.com/the-final-nail-on-rustock’s-coffin—or-is-it/

“2011 proved that collaboration
between law-enforcement
authorities and the security
industry can have a major impact.
For major cybercriminals, it is no
longer a question of ever getting
arrested but when.”
—Feike Hacquebord,
Trend Micro Senior
Threat Researcher

KELIHOS BOTNET TAKEDOWN
• Microsoft convinced a federal judge to allow it to
block all of Kelihos’s command-and-control (C&C)
servers’ IP addresses in September 2011 without
first informing their owners
• The cz.cc domain owner was explicitly named in
the complaint
• The cz.cc domain takedown took hundreds of
thousands Kelihos’s subdomains offline, setting
an example for all other rogue second-level
domains (SLDs) to be more accountable for abuse
incidents

COREFLOOD TAKEDOWN
• The takedown was facilitated by the U.S.
Department of Justice (DOJ) and by the Federal
Bureau of Investigation (FBI)51
• The FBI took over CoreFlood’s C&C servers and
operated these until mid-June 2011
• The FBI sent a stop command to the bots in
the United States, causing the malware to exit
systems
• Marked the first time the U.S. government
took over a botnet’s C&C infrastructure and
pushed a command to its bots so these became
unreachable to botmasters
51 http://blog.trendmicro.com/a-win-for-the-good-guys-the-coreflood-takedown/

OPERATION GHOST CLICK

OPERATION TRIDENT BREACH

• Trend Micro and its industry partners, along with
the FBI and the Estonian Police Force, took down

• The Security Service of the Ukraine (SBU)
detained key members of the Trident Breach
gang on September 30, 2010

• The FBI raided two data centers in New York City
and Chicago as well as took down Rove Digital’s
C&C infrastructure, which comprised

• Banking accounts with millions of cash were
frozen and other assets were confiscated
CHRONOPAY TAKEDOWN
• Co-founder and CEO of credit card clearinghouse
Chronopay, Pavel Vrublevsky, was arrested in
Russia for an alleged cyber attack against a
competitor in June 2011
• Another major Chronopay shareholder—Rove
Digital CEO, Vladimir Tsastsin—was arrested as
part of Operation Ghost Click

8 search warrants were executed by ~50 SBU

officers and its elite tactical operations teams
• Targeting small and medium-sized businesses
(SMBs), municipalities, churches, and individuals
as well as infecting their systems with ZeuS
malware, the gang’s scheme resulted in the

attempted theft of US$220M, with actual losses
of US$70M from victims’ bank accounts

• The FBI, the New York Money Mule Working
Group, the Newark Cybercrime Task Force, the
Omaha Cybercrime Task Force, the Netherlands
Police Agency, the SBU, and the United Kingdom’s
Metropolitan Police Service participated in
Operation Trident Breach52
52 http://www.fbi.gov/news/pressrel/press-releases/international-cooperationdisrupts-multi-country-cyber-theft-ring

This year, as we look ahead, weâ&#x20AC;&#x2122;ve come up with 12
predictions for 2012 that fall into four main categories:

Big IT trends

Mobile
landscape

Threat
landscape

Data leaks and
breaches

In looking at these predictions, what we see in common are
trends toward ever more sophisticated attackers and away
from the PC-centric desktop. Our hope that new OSs make
the world a safer place didnâ&#x20AC;&#x2122;t work out. This means that our
customers in 2012 will need to continue moving toward a
more data-centric model for effective security and privacy
as they embrace consumerization, virtualization, and the
cloud. And we here at Trend Micro need to continue our
work in these key areas to help enable our customers to
meet and protect against these threat trends in 2012.53

Trend Micro Incorporated, a global cloud security leader, creates a world
safe for exchanging digital information with its Internet content security
and threat management solutions for businesses and consumers. A
pioneer in server security with over 20 years experience, we deliver topranked client, server, and cloud-based security that fits our customers’
and partners’ needs; stops new threats faster; and protects data in
physical, virtualized, and cloud environments. Powered by the Trend
Micro™ Smart Protection Network™ infrastructure, our industry-leading
cloud-computing security technology, products and services stop threats
where they emerge, on the Internet, and are supported by 1,000+ threat
intelligence experts around the globe. For additional information, visit
www.trendmicro.com.

TrendLabs is a multinational research, development, and support
center with an extensive regional presence committed to 24 x 7 threat
surveillance, attack prevention, and timely and seamless solutions
delivery. With more than 1,000 threat experts and support engineers
deployed round-the-clock in labs located around the globe, TrendLabs
enables Trend Micro to continuously monitor the threat landscape
across the globe; deliver real-time data to detect, to preempt, and to
eliminate threats; research on and analyze technologies to combat
new threats; respond in real time to targeted threats; and help
customers worldwide minimize damage, reduce costs, and ensure
business continuity.